1337skills.com

Appearance

Azucar Azure Security Auditing Tool Cheat Sheet

Overview

Azucar is an open-source security auditing tool for Azure environments developed by Juan Garrido. It automatically gathers a variety of configuration data from Azure Active Directory, Azure SQL Databases, Storage Accounts, Key Vaults, and other Azure services to help identify potential security issues and misconfigurations.

⚠️ Warning: This tool is intended for authorized security assessments and auditing only. Ensure you have proper authorization before using in any environment.

Installation

powershell
# Install from PowerShell Gallery
Install-Module -Name Azucar

# Install for current user only
Install-Module -Name Azucar -Scope CurrentUser

# Update existing installation
Update-Module -Name Azucar

# Import module
Import-Module Azucar

Manual Installation

powershell
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/nccgroup/azucar/archive/master.zip" -OutFile "Azucar.zip"
Expand-Archive -Path "Azucar.zip" -DestinationPath "C:\Tools\"

# Import module
Import-Module C:\Tools\Azucar-master\Azucar.psd1

# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD

Git Installation

bash
# Clone repository
git clone https://github.com/nccgroup/azucar.git
cd azucar

# Import in PowerShell
Import-Module .\Azucar.psd1

Basic Usage

Module Setup

powershell
# Import Azucar
Import-Module Azucar

# Get available commands
Get-Command -Module Azucar

# Get help for main function
Get-Help Invoke-Azucar -Full

# Check module version
Get-Module Azucar

Authentication

powershell
# Interactive authentication
Connect-AzAccount

# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"

# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"

Command Reference

Main Commands

CommandDescription
Invoke-AzucarMain auditing function
Get-AzucarReportGenerate audit report
Export-AzucarDataExport audit data
Set-AzucarConfigConfigure audit settings

Audit Options

ParameterDescription
-TenantIdAzure AD tenant ID
-SubscriptionIdAzure subscription ID
-OutputPathOutput directory path
-FormatReport format (HTML/JSON/CSV)
-VerboseEnable verbose output

Comprehensive Security Audit

Basic Audit

powershell
# Run basic security audit
Invoke-Azucar

# Audit specific tenant
Invoke-Azucar -TenantId "tenant-id"

# Audit specific subscription
Invoke-Azucar -SubscriptionId "subscription-id"

# Audit with custom output path
Invoke-Azucar -OutputPath "C:\AzureAudit\"

Advanced Audit Options

powershell
# Comprehensive audit with all checks
Invoke-Azucar -All

# Audit specific services
Invoke-Azucar -Services @("AzureAD", "Storage", "KeyVault", "SQL")

# Audit with specific compliance framework
Invoke-Azucar -ComplianceFramework "CIS"

# Audit with custom configuration
Invoke-Azucar -ConfigFile "custom-config.json"

Multi-Tenant Audit

powershell
# Audit multiple tenants
$tenants = @("tenant1-id", "tenant2-id", "tenant3-id")
foreach ($tenant in $tenants) {
    Invoke-Azucar -TenantId $tenant -OutputPath "C:\AzureAudit\$tenant\"
}

# Audit all accessible tenants
$allTenants = Get-AzTenant
foreach ($tenant in $allTenants) {
    Invoke-Azucar -TenantId $tenant.Id -OutputPath "C:\AzureAudit\$($tenant.Id)\"
}

Azure Active Directory Auditing

User and Group Analysis

powershell
# Audit Azure AD users
Invoke-Azucar -Services @("AzureAD") -Focus "Users"

# Check for privileged users
Invoke-Azucar -Services @("AzureAD") -Focus "PrivilegedUsers"

# Audit group memberships
Invoke-Azucar -Services @("AzureAD") -Focus "Groups"

# Check guest user access
Invoke-Azucar -Services @("AzureAD") -Focus "GuestUsers"

Application and Service Principal Analysis

powershell
# Audit applications
Invoke-Azucar -Services @("AzureAD") -Focus "Applications"

# Check application permissions
Invoke-Azucar -Services @("AzureAD") -Focus "ApplicationPermissions"

# Audit service principals
Invoke-Azucar -Services @("AzureAD") -Focus "ServicePrincipals"

# Check for overprivileged applications
Invoke-Azucar -Services @("AzureAD") -Focus "HighPrivilegeApps"

Conditional Access and Security Policies

powershell
# Audit Conditional Access policies
Invoke-Azucar -Services @("AzureAD") -Focus "ConditionalAccess"

# Check MFA configuration
Invoke-Azucar -Services @("AzureAD") -Focus "MFA"

# Audit password policies
Invoke-Azucar -Services @("AzureAD") -Focus "PasswordPolicies"

# Check security defaults
Invoke-Azucar -Services @("AzureAD") -Focus "SecurityDefaults"

Azure Resource Auditing

Storage Account Security

powershell
# Audit storage accounts
Invoke-Azucar -Services @("Storage")

# Check storage account access
Invoke-Azucar -Services @("Storage") -Focus "PublicAccess"

# Audit storage encryption
Invoke-Azucar -Services @("Storage") -Focus "Encryption"

# Check storage account keys
Invoke-Azucar -Services @("Storage") -Focus "AccessKeys"

Key Vault Security

powershell
# Audit Key Vaults
Invoke-Azucar -Services @("KeyVault")

# Check Key Vault access policies
Invoke-Azucar -Services @("KeyVault") -Focus "AccessPolicies"

# Audit Key Vault secrets
Invoke-Azucar -Services @("KeyVault") -Focus "Secrets"

# Check Key Vault network access
Invoke-Azucar -Services @("KeyVault") -Focus "NetworkAccess"

SQL Database Security

powershell
# Audit SQL databases
Invoke-Azucar -Services @("SQL")

# Check SQL server firewall rules
Invoke-Azucar -Services @("SQL") -Focus "FirewallRules"

# Audit SQL database encryption
Invoke-Azucar -Services @("SQL") -Focus "Encryption"

# Check SQL auditing configuration
Invoke-Azucar -Services @("SQL") -Focus "Auditing"

Virtual Machine Security

powershell
# Audit virtual machines
Invoke-Azucar -Services @("VirtualMachines")

# Check VM network security groups
Invoke-Azucar -Services @("VirtualMachines") -Focus "NetworkSecurity"

# Audit VM disk encryption
Invoke-Azucar -Services @("VirtualMachines") -Focus "DiskEncryption"

# Check VM backup configuration
Invoke-Azucar -Services @("VirtualMachines") -Focus "Backup"

Network Security Auditing

Network Security Groups

powershell
# Audit network security groups
Invoke-Azucar -Services @("Network") -Focus "SecurityGroups"

# Check for overly permissive rules
Invoke-Azucar -Services @("Network") -Focus "PermissiveRules"

# Audit inbound rules
Invoke-Azucar -Services @("Network") -Focus "InboundRules"

# Check for default rules
Invoke-Azucar -Services @("Network") -Focus "DefaultRules"

Virtual Network Configuration

powershell
# Audit virtual networks
Invoke-Azucar -Services @("Network") -Focus "VirtualNetworks"

# Check subnet configuration
Invoke-Azucar -Services @("Network") -Focus "Subnets"

# Audit network peering
Invoke-Azucar -Services @("Network") -Focus "Peering"

# Check DNS configuration
Invoke-Azucar -Services @("Network") -Focus "DNS"

Compliance and Governance

CIS Benchmark Assessment

powershell
# Run CIS Azure benchmark
Invoke-Azucar -ComplianceFramework "CIS"

# Generate CIS compliance report
Invoke-Azucar -ComplianceFramework "CIS" -Format "HTML" -OutputPath "C:\CIS_Report\"

# Check specific CIS controls
Invoke-Azucar -ComplianceFramework "CIS" -Controls @("1.1", "1.2", "2.1")

Azure Security Center Integration

powershell
# Audit Security Center configuration
Invoke-Azucar -Services @("SecurityCenter")

# Check security policies
Invoke-Azucar -Services @("SecurityCenter") -Focus "Policies"

# Audit security recommendations
Invoke-Azucar -Services @("SecurityCenter") -Focus "Recommendations"

# Check security alerts
Invoke-Azucar -Services @("SecurityCenter") -Focus "Alerts"

Resource Governance

powershell
# Audit resource groups
Invoke-Azucar -Services @("ResourceManagement") -Focus "ResourceGroups"

# Check resource tags
Invoke-Azucar -Services @("ResourceManagement") -Focus "Tags"

# Audit resource locks
Invoke-Azucar -Services @("ResourceManagement") -Focus "Locks"

# Check resource policies
Invoke-Azucar -Services @("ResourceManagement") -Focus "Policies"

Report Generation and Analysis

HTML Reports

powershell
# Generate HTML report
Invoke-Azucar -Format "HTML" -OutputPath "C:\AzureAudit\"

# Generate detailed HTML report
Invoke-Azucar -Format "HTML" -Detailed -OutputPath "C:\AzureAudit\"

# Generate executive summary
Invoke-Azucar -Format "HTML" -Summary -OutputPath "C:\AzureAudit\"

JSON and CSV Export

powershell
# Export to JSON
Invoke-Azucar -Format "JSON" -OutputPath "C:\AzureAudit\"

# Export to CSV
Invoke-Azucar -Format "CSV" -OutputPath "C:\AzureAudit\"

# Export raw data
Invoke-Azucar -Format "Raw" -OutputPath "C:\AzureAudit\"

Custom Report Templates

powershell
# Use custom report template
Invoke-Azucar -Template "custom-template.html" -OutputPath "C:\AzureAudit\"

# Generate report with custom branding
Invoke-Azucar -Template "branded-template.html" -CompanyName "Your Company" -OutputPath "C:\AzureAudit\"

Advanced Configuration

Custom Configuration File

json
{
  "AuditSettings": {
    "IncludeServices": ["AzureAD", "Storage", "KeyVault", "SQL"],
    "ExcludeChecks": ["LowPriority"],
    "OutputFormat": "HTML",
    "DetailLevel": "High"
  },
  "ComplianceFrameworks": {
    "CIS": {
      "Version": "1.3.0",
      "IncludeControls": ["1.*", "2.*", "3.*"]
    }
  },
  "ReportSettings": {
    "IncludeRecommendations": true,
    "IncludeEvidence": true,
    "GroupByService": true
  }
}

PowerShell Configuration

powershell
# Set custom configuration
$config = @{
    Services = @("AzureAD", "Storage", "KeyVault")
    OutputFormat = "HTML"
    DetailLevel = "High"
    IncludeRecommendations = $true
}

Set-AzucarConfig -Configuration $config

# Run audit with custom configuration
Invoke-Azucar -UseCustomConfig

Filtering and Exclusions

powershell
# Exclude specific resource groups
Invoke-Azucar -ExcludeResourceGroups @("test-rg", "dev-rg")

# Include only specific subscriptions
Invoke-Azucar -IncludeSubscriptions @("sub1-id", "sub2-id")

# Exclude low-priority findings
Invoke-Azucar -ExcludeSeverity @("Low", "Informational")

# Filter by resource tags
Invoke-Azucar -FilterByTags @{Environment="Production"; Owner="Security"}

Automation and Scheduling

Automated Audit Script

powershell
# Automated Azure security audit script
param(
    [string]$TenantId,
    [string]$OutputPath = "C:\AzureAudit",
    [string]$EmailRecipients = "security@company.com"
)

# Create output directory with timestamp
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$auditPath = Join-Path $OutputPath "Audit_$timestamp"
New-Item -ItemType Directory -Path $auditPath -Force

# Authenticate to Azure
Connect-AzAccount -TenantId $TenantId

# Run comprehensive audit
Write-Host "Starting Azure security audit..."
Invoke-Azucar -All -Format "HTML" -OutputPath $auditPath

# Generate summary report
$reportPath = Join-Path $auditPath "AzureSecurityAudit.html"
if (Test-Path $reportPath) {
    Write-Host "Audit completed successfully"
    
    # Send email notification
    $subject = "Azure Security Audit Completed - $timestamp"
    $body = "Azure security audit has been completed. Report available at: $reportPath"
    
    Send-MailMessage -To $EmailRecipients -Subject $subject -Body $body -Attachments $reportPath
} else {
    Write-Error "Audit failed - report not generated"
}

Scheduled Task Creation

powershell
# Create scheduled task for regular audits
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\AzureAudit.ps1"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 6AM
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "Azure Security Audit" -Action $action -Trigger $trigger -Settings $settings

Continuous Monitoring

powershell
# Continuous monitoring script
param(
    [int]$IntervalHours = 24,
    [string]$LogPath = "C:\AzureAudit\monitoring.log"
)

while ($true) {
    $timestamp = Get-Date
    Write-Output "[$timestamp] Starting Azure security monitoring" | Tee-Object -FilePath $LogPath -Append
    
    try {
        # Run quick security check
        $findings = Invoke-Azucar -Quick -Format "JSON"
        
        # Check for critical findings
        $criticalFindings = $findings | Where-Object {$_.Severity -eq "Critical"}
        
        if ($criticalFindings) {
            Write-Output "[$timestamp] Critical findings detected: $($criticalFindings.Count)" | Tee-Object -FilePath $LogPath -Append
            
            # Send alert
            $alertSubject = "ALERT: Critical Azure Security Findings"
            $alertBody = "Critical security findings detected in Azure environment. Immediate attention required."
            Send-MailMessage -To "security@company.com" -Subject $alertSubject -Body $alertBody
        }
    }
    catch {
        Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)" | Tee-Object -FilePath $LogPath -Append
    }
    
    Start-Sleep -Seconds ($IntervalHours * 3600)
}

Troubleshooting

Authentication Issues

powershell
# Clear cached credentials
Clear-AzContext -Force

# Test authentication
$context = Get-AzContext
if (-not $context) {
    Write-Error "Not authenticated to Azure"
    Connect-AzAccount
}

# Verify permissions
$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id
Write-Output "Current user: $($currentUser.DisplayName)"

Module Issues

powershell
# Check Azucar installation
Get-Module Azucar -ListAvailable

# Update Azucar
Update-Module Azucar -Force

# Reinstall if necessary
Uninstall-Module Azucar
Install-Module Azucar -Force

# Check dependencies
Get-Module Az -ListAvailable
Get-Module AzureAD -ListAvailable

Permission Issues

powershell
# Check required permissions
$requiredPermissions = @(
    "Directory.Read.All",
    "User.Read.All",
    "Application.Read.All",
    "Policy.Read.All"
)

foreach ($permission in $requiredPermissions) {
    try {
        # Test permission by attempting to read data
        Write-Output "Testing permission: $permission"
    }
    catch {
        Write-Warning "Missing permission: $permission"
    }
}

Performance Issues

powershell
# Run audit with reduced scope
Invoke-Azucar -Services @("AzureAD") -Quick

# Use parallel processing
Invoke-Azucar -Parallel -MaxThreads 5

# Exclude large datasets
Invoke-Azucar -ExcludeServices @("Logs", "Metrics")

Integration with Other Tools

SIEM Integration

powershell
# Export findings to SIEM format
$findings = Invoke-Azucar -Format "JSON"
$siemEvents = $findings | ForEach-Object {
    @{
        timestamp = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
        source = "Azucar"
        severity = $_.Severity
        finding = $_.Description
        resource = $_.ResourceId
    }
}

# Send to SIEM
$siemEvents | ConvertTo-Json | Out-File "siem_events.json"

PowerBI Integration

powershell
# Export data for PowerBI
$auditData = Invoke-Azucar -Format "CSV"

# Create PowerBI dataset
$powerBIData = @{
    findings = $auditData.Findings
    resources = $auditData.Resources
    compliance = $auditData.Compliance
}

$powerBIData | ConvertTo-Json | Out-File "powerbi_data.json"

Azure DevOps Integration

yaml
# Azure DevOps pipeline for security auditing
trigger:
  schedules:
  - cron: "0 6 * * 1"
    displayName: Weekly security audit
    branches:
      include:
      - main

pool:
  vmImage: 'windows-latest'

steps:
- task: AzurePowerShell@5
  inputs:
    azureSubscription: 'Azure-Subscription'
    ScriptType: 'InlineScript'
    Inline: |
      Install-Module -Name Azucar -Force
      Import-Module Azucar
      Invoke-Azucar -All -Format "HTML" -OutputPath "$(Build.ArtifactStagingDirectory)"
    azurePowerShellVersion: 'LatestVersion'

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'AzureSecurityAudit'

Resources

This cheat sheet provides a comprehensive reference for using Azucar. Always ensure you have proper authorization before conducting Azure security assessments.